Most people have an email address on their profile, that's PII. One could post one's name, that's definitely PII and AIUI that affects all the data then on the site, as it's now associated.
Article 4(1) of the GDPR states the relevant definition: "Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
That should be read in light of the recitals, for instance recital 26:
"The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes."
From these I think it should be obvious that forum comments may be (and even probably are) considered to be personal data under the GDPR.
It’s also obvious that many comments might not be PII too, right? Whether they are depends entirely on whether the user has chosen to share PII, but in any case it’s not automatic, it’s not structured data that’s easily searchable in general, and typically depends on whether other identifying information is available. In other words HN doesn’t ask for PII, has no way to know what comments are PII in general, has no way to reliably identify EU citizens, does not operate in the EU or target EU citizens, has no structured way to profile EU citizens. I’m wildly in favor of online data protections, and I think the GDPR has done many good things, but this particular example does not seem to constitute a clear example of either GDPR applicability nor (tangentially & IMO) of need for data control.
